Kathleen, Is it captured somewhere that the CA will provide Mozilla with updated contact info if a new person becomes the point of contact for the CA? I wasn't sure.
Thank you David, Wendy, and Gerv for your input.
Here are my current thoughts on this. > Can a CA hire someone to manage the inclusion process for them? Yes, but a known individual within the CA must also get a Bugzilla account and comment in the bug to say that they will be the primary point of contact for the CA. > What is the role of the CA’s primary point of contact (POC) with regard to Mozilla’s CA program? The CA’s POC must be someone within the CA’s organization who has authority to speak on behalf of the CA, to make commitments for the CA, and to direct whatever changes the review process or Mozilla’s CA Communications require. That person should also be in a position that can be held accountable by the CA. A CA may have more than one POC, and may use a contractor as one of the POCs. The POC will: - Provide annual audit statements - Respond to CA Communications - Make sure the CA’s rows in the included spreadsheet remain current (http://www.mozilla.org/projects/security/certs/included/) - Inform Mozilla when there is a change in the organization, ownership, CA policies, or in the POC that Mozilla should be aware of, as per items 4 through 7 of http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html > Can email aliases be used for the CA’s POC? Both an email alias and a direct email address must be provided. At least one of the POCs must be an employee of the CA. If the CA uses a contractor as an additional POC, then someone at the CA must be CC’d on the root inclusion Bugzilla bug, CA Communications, and the CA’s responses to CA Communications. > What sort of authoritative confirmation is needed to ensure that the person truly should be the CA’s POC? As per Mozilla policy the CA’s audit statement is either published on a credible auditor’s website, or a Mozilla representative performs an independent step to communicate directly with the auditor to confirm the authenticity of the audit statement that was provided. https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices This provides an independent source of verification of the CA. To ensure that the POC has the authority to perform the tasks listed above, a representative of Mozilla will do the following. 1) Use the CA’s website, to confirm that the domain in the email address of at least one of the POCs is owned by the CA (e.g. @CAname.com). 2) Use the CA’s website to contact a person at the CA to confirm that at least one of the POCs that have been provided does indeed have the authority to perform the responsibilities listed above on behalf of the CA. 3) If a contractor is also used as a POC, then contact the POC that was verified in step 2 to confirm that the CA has indeed enlisted the help of the contractor. David, I realize that this is not in par with what you suggested, but I also need to take into account what I can realistically do within my time (and work location) constraints. While this may not be perfect, is this sufficient? Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
